The block was noteworthy for two reasons.
In a speech ahead of his visit to China in December, Wikipedia founder Jimmy Wales indicated he would enter discussions with the Chinese authorities around the blocking of the sites. As noted in the story:
...Mr Wales admitted that trying to convince China to lift the block may be harder this time around than in the past, due to technological changes to the site’s encryption meaning the government cannot see which specific pages an individual is viewing.
"Which means they're no longer able to filter out certain pages. So they have a choice of all of Wikipedia or none," he said, meaning negotiation that occurred in the past about single pages are no longer viable.
After the speech made news, the authorities blocked all versions of Wikipedia, including the English one, likely in response to Jimmy’s speech. I applaud Jimmy’s decision to continue to make available an encrypted version of Chinese Wikipedia and his commitment to fighting censorship.
The technological aspects of the block were equally interesting. The authorities blocked the encrypted version of Wikipedia based on the TLS certificate of *.wikipedia.org in addition to using the older blocking method of DNS poisoning zh.wikipedia.org. The TLS certificate blocking means that all HTTPS versions of Wikipedia (regardless of language) were blocked.
This action by the authorities is likely a direct response to Jimmy’s mention of “blocking all of Wikipedia or none of it”. The authorities were sending a message and trying to force the online encyclopedia to switch back to HTTP. However, even if Wikipedia did this, the Chinese version of the site would still be blocked because of DNS poisoning.
The connection reset against the TLS certificate is a novel approach to censorship. I believe that this is the first time that this method has been implemented by the Chinese authorities. This also renders the traditional method of using host files to bypass DNS poisoning ineffective.
When the user is trying to access an encrypted website, for example https://en.wikipedia.org, the user and the server will first TLS handshake to establish an encrypted tunnel. The server will present a certificate to prove it is really Wikipedia, rather than someone else who is trying to hijack the connection. In this case, Wikipedia uses a wildcard certificate, namely, *.wikipedia.org and all language versions of Wikipedia use this certificate. Because this certificate is used to establish the encrypted connection, it is sent in the clear and can be readily seen in transit. The GFW hence looks for this fingerprint (we don’t know the exact fingerprint, as GFW can also use the wildcard certificate hash or signature equally well with common name) and blocks the encrypted channel from ever being established.
This is a novel censorship method as it only blocks the HTTPS version of the site. When a user accesses the HTTP site in plaintext, there is no TLS handshake and no certificate exchange, hence HTTP traffic would not be disrupted. But in the case of Wikipedia, because it employs HSTS, no HTTP traffic is allowed. Hence, all of Wikipedia appears to be blocked.